Cyber Security Challenge Belgium 2015 – Solving the SFTP challenge

Two weeks ago, we proudly organised the Cyber Security Challenge Belgium 2015 (CSCBE). The CSCBE was a typical Capture-The-Flag (CTF) competition aimed at students from universities and colleges all over Belgium. During the competition, teams of three or four students had to tackle different technical challenges in order to prove their skills. In the following weeks, we will discuss some of the challenges that the students had to solve.

SFTP

The challenge

The following challenge description was given to the students:

“One of our employees uses an SFTP server to store sensitive company files. He ensured us it’s safe. I mean… Why wouldn’t SFTP be safe?”

They were also given a target IP, a target port and some user credentials (Kermit:MissPiggy).

The challenge was designed to test a few very needed skills for every cyber security enthusiast: problem solving, using the right tool for the job, gathering information and thinking critically.

Connecting to the server

A first approach would be to connect directly to the SFTP server:

After executing the command, the terminal remains empty. This is not normal behavior for an SFTP server, which normally asks for a password, as shown below:

At this point, a lot of the students were complaining that the server was down, or that our firewall was blocking their campus networks. Every complaint was taken seriously, but every time we checked the server, it was up and running. Each time, we suggested that the students should try a different approach.

Netcat is like the swiss army knife of network tools. It can do many different things, but most importantly, it gives us complete control over which data is sent and received. Using netcat (command: nc) gives us the following output:

Now we can see that the server is actually up and running and sending us data. The server introduces itself as “+NVISO SFTP server”, which is not what you would expect from a normal SFTP server. On to the next step!

Gathering information

Although SFTP is a widely known and used acronym for the SSH File Transfer Protocol, acronyms can often mean many different things. A great resource for working out acronyms, is Wikipedia:

As we noted, SFTP stands for SSH File Transfer Protocol. However, SFTP also stands for the Simple File Transfer Protocol. This protocol is “an unsecured and rarely used protocol”, which sounds exactly like something we’d be interested in.

The Simple File Transfer Protocol is fully documented in RFC 913. According to the RFC, the server should greet a client with “+MIT-XX SFTP Service”, which is very similar to what our SFTP server sent.

Using the server

Great! We were able to log in, and there appears to be a “documents” directory. Inside the documents directory, there is a file called flag, as we can see here:

According to the documentation, we should use ‘RETR flag’ followed by ‘SEND’. But first, let’s set the transfer mode to binary, so that we are sure we get a correct file:

If we send the ‘RETR flag’ command now, the server will print the size of the flag. We can then indicate we are ready to receive the flag by sending ‘SEND’ to the server. This can most easily be done through a python script, which will store away the file correctly:

This little script uses the Pwn library, which makes communicating with the server a lot more easy. Running this script will produce a file called ‘flag’ in the current directory. By using the linux ‘file’ command, we can find out what kind of file this is:

Renaming flag to flag.jpg lets us see the image:

If you look closely, in the upper right corner of the image, it says “KermitLovesBacon”, which was the flag needed to solve this challenge.

Statistics

Fourteen teams managed to solve the challenge during the qualifiers. The first team that solved the challenge was HacknamStyle JR. HacknamStyle JR emerged as the victors in the Finals, so this may not come as a surprise. Out of the fourteen teams that managed to solve this challenge, seven earned their spot in the Finals.

Hurdles

The biggest hurdle to this challenge was actually communicating correctly with the server. Many students immediately decided that SFTP could only stand for SSH File Transfer Protocol. They quickly realized that their favourite SFTP application didn’t work, but only a few of the teams investigated the root cause of this by looking at the actual data that was sent by the server and doing some research.

One of the teams actually opened netcat and tried nearly every possible combination of four letters to see which commands worked and which didn’t. Even though they failed to find the correct protocol documentation, they did manage to get the flag. Using brute-force to solve this challenge is definitely allowed, but they could have probably saved a lot of time by doing some more research first.

Final thoughts

This challenge was definitely a success. Many teams fell into the trap of thinking it was an SSH FTP Server, which was exactly what we were hoping for. The challenge wasn’t meant to be very difficult, so we were glad that quite a number of teams were able to solve it.